Interpret ntoskrnl.exe NT Kernel ICMP Type 8 Echo requests
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.security.firewalls archive

Interpret ntoskrnl.exe NT Kernel ICMP Type 8 Echo requests

From: Barbara Ellman <barbaraellman@vzavenue.net>
Date: Wed Feb 15 2006 - 17:10:51 CET



How do you interpret this Sygate Personal Firewall message?



I did not initiate (at least not on purpose) any ping of 204.152.33.21.


In fact, I don't even know what that is (I looked it up on a reverse DNS 


and it came up empty).



Why is my Windows XP PC wireless port (00-0d-60-20-23-31 MAC address ) 


asking to connect, all on its own, to 204.152.33.21?



Here is the full Sygate message that asked me to accept or deny.


How do I glean clues from this supposedly detailed report so I can figure


out why it is doing this?



File Version :		5.1.2600.2622


File Description :	NT Kernel & System (ntoskrnl.exe)


File Path :		C:\WINDOWS\system32\ntoskrnl.exe


Process ID :		0x4 (Heximal) 4 (Decimal)


Connection origin :	local initiated


Protocol :		ICMP


Local Address : 	192.168.0.101


ICMP Type :		8 (Echo Request)


ICMP Code : 		0 


Remote Name :			


Remote Address :	204.152.33.21


Ethernet packet details:


Ethernet II (Packet Length: 120)


        Destination: 	00-80-c8-b0-69-8a


        Source: 	00-0d-60-20-23-31


Type: IP (0x0800)


Internet Protocol


        Version: 4


        Header Length: 20 bytes


        Flags:


                .0.. = Don't fragment: Not set


                ..0. = More fragments: Not set


        Fragment offset:0


        Time to live: 2


        Protocol: 0x1 (ICMP - Internet Control Message Protocol)


        Header checksum: 0xd708 (Correct)


        Source: 192.168.0.1


        Destination: 204.152.33.21


Internet Control Message Protocol


        Type: 8 (Echo Request)


        Code: 0


        Data (68 bytes)


Binary dump of the packet:


0000:  00 80 C8 B0 69 8A 00 0D : 60 20 23 31 08 00 45 00 | ....i...`C#I..E.


0010:  00 5C 01 10 00 00 02 01 : 08 D7 C0 A8 00 65 CC 98 | .\...........e..


0020:  21 15 08 00 F0 FF 03 00 : 04 00 00 00 00 00 00 00 | !...............


0030:  00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................


0040:  00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................


0050:  00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................


0060:  00 00 00 00 00 00 00 00 : 00 00 41 43 41 43 41 43 | ..........ACACAC


0070:  41 43 41 43 41 43 41 43 :                         | ACACACAC        


Received on Mon May  1 00:50:50 2006